There are three core areas upon which Directors should focus their attention to help establish and maintain an effective compliance program. They are: (1) structure, (2) culture, (3) risk management.

Structural Questions

This area consists of questions which will aid in determining the fundamental sense of a company’s overall compliance program. The questions should begin with the basics of the program through to how the program operates in action. Some of the structural questions Board members should ask are the following.

  • Who oversees the operation of the program?
  • What is in the Code of Conduct? Is each Board member aware of corporate standards and procedures?
  • How are complaints being received?
  • Who conducts investigations and acts on the results?
  • What corporate resources are being devoted to the compliance and ethics program?
  • How much money is allocated to the program?
  • What types of training is required? How effective is it?
  • Have any compliance failures been detected? If so, how was such detection made?
  • If a company’s compliance program is less mature, what are the charter compliance documents?
  • If a company’s compliance program is more mature, there should be queries regarding the roles of the General Counsel vs. a Chief Compliance Officer. What is the CCO reporting structure?

Cultural Questions

This area of inquiry should focus on the culture of the organization regarding compliance. Board members should have an understanding of what message is being communicated not only from senior management but also middle management. Equally important, the Board needs to understand what message is being heard at the lowest levels within the company. Some of the cultural questions Board members should ask are the following.

  • When did the company last conduct a survey to measure the corporate culture of compliance?
  • Is it time for the company to resurvey to measure the corporate culture of compliance?
  • If a survey is performed, what are the results? Have any deficiencies been demonstrated? If so, what is the action plan going forward to remedy such deficiencies?
  • Did any compliance investigations arise from a cultural problem?
  • Regardless of any survey results, what can be done to improve the culture of compliance within the company?
  • If there were any acquisitions, were they analyzed from a compliance culture perspective?
  • Are there any M&A deals on the horizon, have they been reviewed from the compliance perspective?

Risk Management Questions

Board members need to understand the company’s process being used to identify emerging risks, their evaluation and management. Such risk analysis would be broader than simply a compliance risk assessment and should be tied to other broader corporate matters.

  • What is the risk assessment process?
  • How effective is this risk assessment process? Is it stale?
  • Who is involved in the risk assessment process?
  • Does the risk assessment process take into account any new legal or compliance best practices developments?
  • Are there any new operations that pose substantial compliance risks for the company?
  • Is the company tracking enforcement trends? Are any competitors facing enforcement actions?
  • Has the company moved into any new markets which impose new or additional compliance risks?
  • Has the company developed any new product or service lines which change the company’s risk profile?

Three Key Takeaways

  1. A Board of Directors should inquire into the structural component of the compliance program as it will aid in determining the fundamental sense of a company’s overall compliance program.
  2. Cultural questions should be asked to garner an understanding of what message is being communicated not only from senior management but also middle management.
  3. Risk management questions should be asked to understand the company’s process being used to identify emerging risks, their evaluation and management.

Where does “Tone at the Top” start. With any public and most private US companies, it is at the Board of Directors. But what is the role of a company’s Board in FCPA compliance? We start with several general statements about the role of a Board in US companies. First a Board should not engage in management but should engage in oversight of a CEO and senior management. The Board does this through asking hard questions, risk assessment and identification.

In a recent White Paper, entitled “Risk Intelligence Governance-A Practical Guide for Boards” the firm of Deloitte & Touche laid out six general principles to help guide Boards in the area of compliance risk governance. I have adapted them for the Board role around compliance.

  1. Define the Board’s Role-there must be a mutual understanding between the Board, CEO and senior management of the Board’s responsibilities.
  2. Foster a culture of compliance risk management-all stakeholders should understand the compliance risks involved and manage such risks accordingly.
  3. Incorporate compliance risk management directly into a strategy-oversee the design and implementation of compliance risk evaluation and analysis.
  4. Help define the company’s appetite for compliance risk-all stakeholders need to understand the company’s appetite or lack thereof for compliance risk.
  5. Execute the compliance risk management process-the compliance risk management process should maintain an approach that is continually monitored and had continuing accountability.
  6. Benchmark and evaluate the compliance process-compliance systems need to be installed which allow for evaluation and modifying the compliance risk management process for compliance as more information becomes available or facts or assumptions change.

All of these factors can be easily adapted to FCPA compliance and ethics risk management oversight. Initially it must be important that the Board receive direct access to such information on a company’s policies on this issue. The Board must have quarterly or semi-annual reports from a company’s Chief Compliance Officer to either the Audit Committee or the Compliance Committee. This commentator recommends that a Board create a Compliance Committee as the Audit Committee may more appropriately deal with financial audit issues. A Compliance Committee can devote itself exclusively to non-financial compliance, such as FCPA compliance. The Board’s oversight role should be to receive such regular reports on the structure of the company’s compliance program, its actions and self-evaluations. From this information the Board can give oversight to any modifications to managing FCPA risk that should be implemented.

There is one other issue regarding the Board and risk management, including FCPA risk management, which should be noted. It appears that the Securities and Exchange Commission (SEC) desires Boards to take a more active role in overseeing the management of risk within a company. The SEC has promulgated Reg SK 407 under which each company must make a disclosure regarding the Board’s role in risk oversight which “may enable investors to better evaluate whether the board is exercising appropriate oversight of risk.” If this disclosure is not made, it could be a securities law violation and subject the company which fails to make it to fines, penalties or profit disgorgement.

Three Key Takeaways

  1. The Board’s role is to keep really bad things from happening to a Company.
  2. There are six general areas the point can inquire into and lead from.
  3. SEC Reg SK 407 may put greater scrutiny on Boards.

What are 6 fast and efficient areas of inquiry for a Board around compliance?


In this special live, on location episode, Jay Rosen and I discuss the recent SCCE 2017 Utilities and Energy Conference held in Washington DC. He hit on the highlights, topics, vendors and key note speakers. We also discuss the impact of the recently released DOJ Evaluation of Corporate Compliance Programs. Finally we have a guest appearance by Jim Moore, recently installed as SVP at Trust Point International. For a copy of the Evaluation of Corporate Compliance Programs, click here. For my two blog posts on the Evaluation, Part I and Part II.

In this episode I visit with Morrison Forrester partner James Koukios on the firm’s December newsletter on the Top Ten International Anti-Corruption Developments for December 2016. James and I visit about some of the lesser known highlights from the month of December 2016 in the global enforcement of anti-corruption.


In this final five days of my One Month to a Better Board series, I will look at inquiries and questions a Board can take to help the organization actually do compliance going forward. I begin with an exploration of how can a Board work to incorporate the compliance function into a long-term business strategy of the organization. A Board can do so by engaging with the Chief Compliance Officer and compliance function through having a strong Board which is committed to doing business ethically and incompliance with anti-corruption laws such as the FCPA and engaging actively with the CCO and compliance function. This post will begin a discuss of various tools and techniques a Board can use and engage to move to this level of engagement.

The first point is to develop a framework for incorporating compliance into your long-term strategy. This framework draws from the State Street Global Advisors’ strategy for sustainability and adapts it to compliance. To set up the framework for evaluation of the compliance function is a three-step process, which you can use to determine how comprehensive you compliance program is as a starting point.

Step 1-has the company identified the compliance issues relevant to the Board?

Step 2-has the company assessed and incorporated those compliance issues into its long-term strategy?

Step 3-has the company communicated its approach to compliance and the influence of those factors on its overall strategy?

From this initial inquiry you can move into some specific questions that the Board can use to determine the overall state of your company’s compliance program. First a Board can work to identify compliance issues material to your organization. This can be accomplished with compliance related key performance indicators, which a Board should then prioritize to elevate their impact on compliance. A Board should consider these through the life-cycle of a business line or geographic sales area. Next the Board should work to move compliance into both the long-term strategy for the company and also have the CCO detail the long-term strategy for the compliance function.

Drawing from the February release Justice Department Evaluation of Corporate Compliance Programs (Evaluation), the Board should actively work to incorporate compliance into the long term capital allocation of the company. Obviously the earlier the investment the better as it brings benefits such as benefits through brand differentiation, lowering the risk profile of the company and improving nimbleness in market responses.

The Board should oversee the incorporate of KPIs into senior management performance evaluations and compensation. Once again building upon the Evaluation which asks how the company monitors its senior leadership’s behavior and how senior leadership modelled proper behavior to subordinates, the Board should make certain systems are in place to quantify or measure performance related to compliance issues, should establish performance goals against which they measure compliance achievement and finally disclose to shareholders the material compliance issues that drive compensation, the specific goals or performance targets that management has to achieve and report on the actual performance against established goals to justify compensation payouts.

Finally the Board should work to communicate the influence of compliance factors on overall corporate strategy by demonstrating how compliance was integrated into the business. Not only is this good from a business perspective and shareholder expectation but also as the DOJ Evaluation makes clear what the government expects is the operationalization of compliance going forward.

These general factors will lead us into more specific questions that a Board can pose as we continue one month to a better board for a best practices compliance program.

Three Key Takeaways

  1. Having a long term strategy is critical.
  2. What is the Board’s framework for assessing compliance?
  3. Create KPIs to measure senior management’s actions around compliance.